Hi guys,
I'm want to play around with Stateful Tracking Options.
First step was starting to analyze "normal traffic" and the count of states to a specific machine.
I'm using this both commands
The output shows a big list. So here comes
As you can see there is a state count of 8
Displaying the states itself with
The commands are sent simultaneously via 2 ssh sessions with mputty. It's a bit surprising that the counts are different. Sometime the count corresponds with the output from both commands. When the load is much heavier I always have different values.
I suppose that
How do you see that?
I'm want to play around with Stateful Tracking Options.
First step was starting to analyze "normal traffic" and the count of states to a specific machine.
I'm using this both commands
pfctl -vvsr and pfctl -ssThe output shows a big list. So here comes
grep to break down the output to a more readable output. sudo pfctl -vvsr | grep -A2 "from any to x.x.x.x" | grep -A2 igb0 | grep -A2 https
@24 pass quick on igb0 inet proto tcp from any to x.x.x.x port = https flags S/SA keep state
[ Evaluations: 154365 Packets: 843136 Bytes: 562069982 States: 8 ]
[ Inserted: uid 0 pid 63274 State Creations: 12946 ]
As you can see there is a state count of 8
Displaying the states itself with
pfctl -ss and doing some grep and line count shows a different count. To double check the output I also count by hand without using wc sudo pfctl -ss | grep x.x.x.x | grep 443 | grep "<-" | wc -l
No ALTQ support in kernel
ALTQ related functions disabled
10
The commands are sent simultaneously via 2 ssh sessions with mputty. It's a bit surprising that the counts are different. Sometime the count corresponds with the output from both commands. When the load is much heavier I always have different values.
I suppose that
pfctl -vvsr generates a big output which needs some time until it hits to rule 24. During these few Milli seconds the states have changed and so I get different outputs.How do you see that?